12466 – Out of bounds read in udhcp_get_option()

Bug 12466 - Out of bounds read in udhcp_get_option()

Summary: Out of bounds read in udhcp_get_option()

Status:	RESOLVED INVALID

Alias:	None

Product:	Busybox
Classification:	Unclassified
Component:	Networking (show other bugs)
Version:	1.31.x
Hardware:	All Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-01-14 06:14 UTC by zhaoyuhang0313
Modified:	2020-01-14 16:08 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description zhaoyuhang0313 2020-01-14 06:14:46 UTC

I noted that in send_ACK() and send_offer(), p_host_name is fetched and writen without making sure that its length. Shouldn't we also check if the length is 4  before calling add_lease()?

Comment 1 Denys Vlasenko 2020-01-14 16:08:04 UTC

send_ACK():
        const char *p_host_name;
...
        p_host_name = (const char*) udhcp_get_option(oldpacket, DHCP_HOST_NAME);
        add_lease(packet.chaddr, packet.yiaddr,
                lease_time_sec,
                p_host_name,
                p_host_name ? (unsigned char)p_host_name[OPT_LEN - OPT_DATA] : 0
        );


send_offer():
                p_host_name = (const char*) udhcp_get_option(oldpacket, DHCP_HOST_NAME);
                lease = add_lease(packet.chaddr, packet.yiaddr,
                                server_data.offer_time,
                                p_host_name,
                                p_host_name ? (unsigned char)p_host_name[OPT_LEN - OPT_DATA] : 0
                );

Looks ok to me.


> Shouldn't we also check if the length is 4

No, the length is not necessarily 4.